From 63cd5c61432834c5cd717a115cabcad29b0603d6 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Mon, 25 Apr 2022 11:43:29 +0800 Subject: Add sepolicy for pixellogger 04-25 11:36:17.795 4101 4101 I auditd : type=1400 audit(0.0:6339): avc: denied { search } for comm="LoggingService" name="wifi" dev="dm-40" ino=338 scontext=u:r:logger_app:s0:c229,c256,c512,c768 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.pixellogger 04-25 11:36:17.799 863 863 I auditd : type=1400 audit(0.0:6340): avc: denied { search } for comm="wifi_ext@1.0-se" name="wifi" dev="dm-40" ino=338 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir permissive=1 Bug: 230280450 Test: Pixelloger can collect WLAN logs Change-Id: Id95e4132f2814deb1fbfb307568a4ece87a28611 --- vendor/hal_wifi_ext.te | 1 + vendor/logger_app.te | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 vendor/logger_app.te diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te index a16d595..b26ff32 100644 --- a/vendor/hal_wifi_ext.te +++ b/vendor/hal_wifi_ext.te @@ -1,4 +1,5 @@ allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms; +allow hal_wifi_ext vendor_wifi_vendor_data_file:dir rw_dir_perms; # write to files owned by location daemon allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms; diff --git a/vendor/logger_app.te b/vendor/logger_app.te new file mode 100644 index 0000000..26c0cc6 --- /dev/null +++ b/vendor/logger_app.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow logger_app vendor_wifi_vendor_data_file:dir rw_dir_perms; +') -- cgit v1.2.3 From 7a86c2d697fbde4391060535c05e05f767cee065 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 30 May 2022 14:06:55 +0800 Subject: Update avc error on ROM 8659812 Bug: 234311757 Bug: 234311798 Bug: 234311675 Bug: 234311758 Test: forrest with boot test w/ SELinux check Change-Id: I809cd16ca133fcbe5dbac6c7b8f089897fab300c --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..78a4044 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,4 @@ +hal_health_default sysfs file b/234311757 +hal_radioext_default hal_bluetooth_default binder b/234311798 +init-insmod-sh init-insmod-sh capability b/234311675 +system_suspend sysfs dir b/234311758 -- cgit v1.2.3 From 2d50edbc64862c5e2ca2f47ef119084392a0c83e Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Tue, 31 May 2022 12:59:43 +0800 Subject: Add sepolicy for P9222 WLC power_supply 05-30 05:13:03.096 836 836 I auditd : type=1400 audit(0.0:6): avc: denied { getattr } for comm="android.hardwar" path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/capacity" dev="sysfs" ino=71270 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 05-30 05:13:03.100 836 836 I auditd : type=1400 audit(0.0:7): avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=71272 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 234311757 Test: build ok, no avc denied Signed-off-by: Jack Wu Change-Id: I0fb296a9472eda7ff5f2babfea1c769caea525e1 --- vendor/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index b51cb91..11766e5 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -3,3 +3,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u # Wifi genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 + +# BMS +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 -- cgit v1.2.3 From 07f8ea39a14586ecc76b908da70fc348703f9a06 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 6 Jun 2022 11:06:10 +0800 Subject: sepolicy: label more paths for sysfs_wakeup Bug: 234311758 Test: forrest apct/device_boot_health_check_extra Change-Id: I6dab109733062b32e09cfddcbf43cbdc515c07ba Signed-off-by: Darren Hsu --- tracking_denials/bug_map | 1 - vendor/genfs_contexts | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 78a4044..47b165b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ hal_health_default sysfs file b/234311757 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 -system_suspend sysfs dir b/234311758 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 11766e5..9419ac4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -7,3 +7,9 @@ genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 # BMS genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 + +# System Suspend +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0 -- cgit v1.2.3 From d4e9442a2eb49d42999b548480f0d3c44a838da0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Jun 2022 08:11:22 +0800 Subject: Update error on ROM 8693966 bug: 234311798 bug: 235281134 bug: 235281415 Test: SELinuxUncheckedDenialBootTest Change-Id: Ib6da45ce6d0c8d0d2668fcc2b3b41cf450c953d2 --- lynx-sepolicy.mk | 1 + tracking_denials/bug_map | 1 - tracking_denials/lowi_server.te | 2 ++ 3 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/lowi_server.te diff --git a/lynx-sepolicy.mk b/lynx-sepolicy.mk index 6efe95c..4c770e4 100644 --- a/lynx-sepolicy.mk +++ b/lynx-sepolicy.mk @@ -1,2 +1,3 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/tracking_denials diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 47b165b..a51827c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,2 @@ -hal_health_default sysfs file b/234311757 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 diff --git a/tracking_denials/lowi_server.te b/tracking_denials/lowi_server.te new file mode 100644 index 0000000..d3c1bd5 --- /dev/null +++ b/tracking_denials/lowi_server.te @@ -0,0 +1,2 @@ +# b/235281415 +dontaudit lowi_server vendor_location:unix_dgram_socket { read write }; -- cgit v1.2.3 From 9a67905169b726faa7618706d9387ca5898e6cab Mon Sep 17 00:00:00 2001 From: timothywang Date: Tue, 14 Jun 2022 10:30:10 +0800 Subject: Add sepolicy to enable camera vendor property Bug: 234324271 Test: adb shell getprop Change-Id: I6a0b344880deeb767df97136c42b2fb86668f39d --- vendor/vendor_init.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/vendor_init.te diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..6d9b469 --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_camera_prop) -- cgit v1.2.3 From 101db9756d5eff6840c748893e96e9153665cd89 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Fri, 24 Jun 2022 17:07:25 +0800 Subject: Add sepolicy for lowi-server 06-24 16:58:55.724 9519 9519 I lowi-server: type=1400 audit(0.0:1980): avc: denied { read write } for path="socket:[69473]" dev="sockfs" ino=69473 scontext=u:r:lowi_server:s0 tcontext=u:r:vendor_location:s0 tclass=unix_dgram_socket permissive=1 Bug: 235281415 Test: avc error is gone Change-Id: I93615b98c08f6e6e5c3cc182bddcff30e452e103 --- tracking_denials/lowi_server.te | 2 -- vendor/lowi_server.te | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 tracking_denials/lowi_server.te diff --git a/tracking_denials/lowi_server.te b/tracking_denials/lowi_server.te deleted file mode 100644 index d3c1bd5..0000000 --- a/tracking_denials/lowi_server.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/235281415 -dontaudit lowi_server vendor_location:unix_dgram_socket { read write }; diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te index c1281f9..e107cf2 100644 --- a/vendor/lowi_server.te +++ b/vendor/lowi_server.te @@ -10,7 +10,7 @@ allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl; ## lowi-server ############## allow lowi_server vendor_location:fd use; -allow lowi_server vendor_location:unix_dgram_socket sendto; +allow lowi_server vendor_location:unix_dgram_socket {sendto read write}; # some additional network access allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl; -- cgit v1.2.3 From b9be0516dc5652794e190911c9fe4c17a66846ff Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 29 Jun 2022 09:48:35 +0800 Subject: update error on ROM 8769316 Bug: 237467750 Test: SELinuxUncheckedDenialBootTest Change-Id: I0ad1b8cc2f0d298143de177f49e45418dfd857ac --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a51827c..b252b1b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,3 @@ hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 +vendor_location lowi_server unix_dgram_socket b/237467750 -- cgit v1.2.3 From 4d4fd451a6de766398829c205d02cff0a89f4a69 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Wed, 29 Jun 2022 15:01:15 +0800 Subject: Add sepolicy for vendor_location 06-25 21:59:57.532 3922 3922 I auditd : type=1400 audit(0.0:11): avc: denied { sendto } for comm="loc_mq_clnt" path="/dev/socket/location/mq/LOWI-SERVER" scontext=u:r:vendor_location:s0 tcontext=u:r:lowi_server:s0 tclass=unix_dgram_socket permissive=0 06-29 04:30:11.188 8182 8182 I auditd : type=1400 audit(0.0:1517): avc: denied { sendto } for comm="loc_mq_clnt" path="/dev/socket/location/mq/7b2e9924f8-LC" scontext=u:r:vendor_location:s0 tcontext=u:r:hal_wifi_ext:s0 tclass=unix_dgram_socket permissive=0 Bug: 237467750 Test: avc error is gone Change-Id: Ic4ff2bdf30b042c08c38b134c6af086d7033511f --- tracking_denials/bug_map | 1 - vendor/vendor_location.te | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b252b1b..a51827c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,2 @@ hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 -vendor_location lowi_server unix_dgram_socket b/237467750 diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te index cefcd49..05f55a6 100644 --- a/vendor/vendor_location.te +++ b/vendor/vendor_location.te @@ -13,3 +13,7 @@ allow vendor_location vendor_location_socket:dir rw_dir_perms; # /sys/devices/soc0/soc_id allow vendor_location vendor_location_sysfs:file create_file_perms; + +# /dev/socket/location/mq/* +allow vendor_location lowi_server:unix_dgram_socket {sendto read write}; +allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write}; -- cgit v1.2.3 From d734865c1ba9e42397d3e679e6c887866324da03 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 6 Jul 2022 02:58:26 +0000 Subject: Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238143398 Change-Id: Ic30fa2201c37296a031d0e9ddc518c47c49ccaa2 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a51827c..f5d871f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,3 @@ hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 +kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From 683104a6a861c9eae96dfe19a43fef184bed4eca Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 13 Jul 2022 14:37:17 +0800 Subject: Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238837168 Change-Id: Ic852fa8e8c1a8832699bc7f001abc7769ba67394 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f5d871f..35420f7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 kernel vendor_regmap_debugfs dir b/238143398 +crash_dump vendor_slog_file dir b/238837168 -- cgit v1.2.3 From c6daa1aa2e294e0c77716a64de1cf4078d6f0c65 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Jul 2022 06:47:13 +0000 Subject: Update SELinux error Bug: 234547283 Change-Id: I9caeeee12b5c8f29d9962cfc93d4902115c99b90 --- tracking_denials/bug_map | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 35420f7..60f870f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,4 @@ +crash_dump vendor_slog_file dir b/238837168 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 kernel vendor_regmap_debugfs dir b/238143398 -crash_dump vendor_slog_file dir b/238837168 -- cgit v1.2.3 From 74af0fe9e61b85f0e6a929307a311b7b91359f2f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Jul 2022 10:55:40 +0800 Subject: Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239364745 Change-Id: I65e5ac420fe7c94cfb08d4a9e1f1191152b49754 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 60f870f..e794e28 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ crash_dump vendor_slog_file dir b/238837168 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 +init-insmod-sh vendor_ready_prop property_service b/239364745 kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From b51016a53f260e35457a21c9a7e7598851ff9f3a Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Mon, 18 Jul 2022 22:25:04 +0800 Subject: Revert "Update SELinux error" This reverts commit 74af0fe9e61b85f0e6a929307a311b7b91359f2f. Reason to revert: issue has been fixed Bug: 239364576 Bug: 239364745 Signed-off-by: Robin Peng Change-Id: Iaef3454b376a7d5266b72f242b0ca94c77e1c1fe --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e794e28..60f870f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ crash_dump vendor_slog_file dir b/238837168 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 -init-insmod-sh vendor_ready_prop property_service b/239364745 kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From 49a3cfae3a31fcc1346fb988d10a1c74269a8a24 Mon Sep 17 00:00:00 2001 From: Cheney Ni Date: Mon, 18 Jul 2022 17:36:31 +0000 Subject: Bluetooth: Allow QTI HAL service to access its logbuffer Bug: 229691092 Test: Pass file permission check Change-Id: Ic97bf3b23c452d20e5e32f3bafe2f6b2c5d2be3b --- bluetooth/file_contexts | 7 ++++++- bluetooth/hal_bluetooth_default.te | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts index da02008..5560dc7 100644 --- a/bluetooth/file_contexts +++ b/bluetooth/file_contexts @@ -1,5 +1,10 @@ -# Bluetooth +# Bluetooth HAL service /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 +# Bluetooth Vendor nodes /dev/btpower u:object_r:bt_device:s0 /dev/ttySAC18 u:object_r:hci_attach_dev:s0 + +# Bluetooth Debuggable HAL nodes +/dev/logbuffer_btpower u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty18 u:object_r:logbuffer_device:s0 diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index dcd2b7f..8bbfa77 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -3,6 +3,7 @@ allow hal_bluetooth_default bt_device:chr_file rw_file_perms; add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice) userdebug_or_eng(` + allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms; allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms; allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms }; set_prop(hal_bluetooth_default, vendor_ssrdump_prop) -- cgit v1.2.3 From 20deb31861974cee99d79d28e4ee8e37f5cc75ff Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 22 Jul 2022 10:34:53 +0800 Subject: Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239887174 Change-Id: I4034d5ae64004142e312fd534d436014bfc0fe5b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 60f870f..0a70c41 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ crash_dump vendor_slog_file dir b/238837168 hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 +kernel vendor_charger_debugfs dir b/239887174 kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From 0c59021e5887202fbfa7305f8ed9d22e48733101 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Wed, 27 Jul 2022 13:35:04 +0800 Subject: Add sepolicy for hal_wifi_ext 07-27 11:58:09.569 869 869 I auditd : type=1400 audit(0.0:2682598): avc: denied { read } for comm="wifi_ext@1.0-se" name="driverdump" dev="proc" ino=4026535980 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 239656339 Test: avc error is gone Change-Id: Icf816897780fecc1bb35696e492e6fa2661abc20 --- vendor/file.te | 3 ++- vendor/genfs_contexts | 1 + vendor/hal_wifi_ext.te | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/vendor/file.te b/vendor/file.te index 2553c74..b70b548 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -2,4 +2,5 @@ type vendor_location_data_file, file_type, data_file_type; type vendor_location_socket, file_type; type vendor_wifi_vendor_data_file, file_type, data_file_type; type vendor_wifihal_socket, file_type; -type vendor_location_sysfs, fs_type, sysfs_type; \ No newline at end of file +type vendor_location_sysfs, fs_type, sysfs_type; +type vendor_proc_wifi_dbg, fs_type, proc_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 9419ac4..dd1b196 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -3,6 +3,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u # Wifi genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 +genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0 # BMS genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te index b26ff32..fbe187d 100644 --- a/vendor/hal_wifi_ext.te +++ b/vendor/hal_wifi_ext.te @@ -11,3 +11,6 @@ allow hal_wifi_ext lowi_server:unix_dgram_socket sendto; unix_socket_connect(hal_wifi, vendor_location, vendor_location) allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms; allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms; + +# allow hal_wifi to write into /proc/debugdriver/driverdump +r_dir_file(hal_wifi_ext, vendor_proc_wifi_dbg); -- cgit v1.2.3 From 4e2b651fdccffb369ad937258dec6a3486a11e2e Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 28 Jul 2022 10:16:55 +0800 Subject: sepolicy: allow hal_power_stats to read wifi sysfs and property avc: denied { read } for name="power_stats" dev="sysfs" ino=114517 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 avc: denied { read } for name="u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=371 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=0 Bug: 240391946 Test: get bugreport and make sure no avc denials related to Test: hal_power_stats Change-Id: I3be32eb4e61926c3abd24c67e7dab9b4056bf00a Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 3 +++ vendor/hal_power_stats_default.te | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 vendor/hal_power_stats_default.te diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dd1b196..4f547fd 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -14,3 +14,6 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wir genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0 + +# PowerStats +genfscon sysfs /kernel/wifi/power_stats u:object_r:sysfs_power_stats:s0 diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..24527f9 --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# Needed to detect wifi on/off +get_prop(hal_power_stats_default, wifi_hal_prop) -- cgit v1.2.3 From f2a76321060290b11a659ef880de46e03e845721 Mon Sep 17 00:00:00 2001 From: chungkai Date: Fri, 29 Jul 2022 04:45:27 +0000 Subject: genfs_contexts: fix path for i2c peripheral device paths are changed when we enable parallel module loading and reorder the initializtaion of devices. Test: without avc denial on L10 when booting Bug: 240641235 Signed-off-by: chungkai Change-Id: I411ceaa02cb6fb36fc767937a62f945685c4a019 --- vendor/genfs_contexts | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4f547fd..9f8526d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -6,13 +6,46 @@ genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0 # BMS +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 # System Suspend +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0 # PowerStats -- cgit v1.2.3 From 9ac637312bb4ab73f1998d3b71ec6ab76e638864 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Tue, 2 Aug 2022 16:39:19 +0800 Subject: wifi: correct label wlan0/p2p0/wifi-aware0 device as sysfs_net Bug: 239657967 Test: NetdSELinuxTest#CheckProperMTULabels Change-Id: I31db1d2110b2c18cf12a5cfa9b13e8c6dff09d59 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4f547fd..8f929cb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -4,6 +4,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u # Wifi genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net u:object_r:sysfs_net:s0 # BMS genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 -- cgit v1.2.3 From 11348d7e76e679950e663c5ea70281061736255c Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Thu, 4 Aug 2022 07:19:10 +0800 Subject: Fix avc denied for hal_radioext_default 05-30 13:13:30.868 867 867 I auditd : type=1400 audit(0.0:21): avc: denied { call } for comm="HwBinder:867_1" scontext=u:r:hal_radioext_default:s0 tcontext=u:r:hal_bluetooth_default:s0 tclass=binder permissive=0 Bug: 234311798 Test: verified with the forrest ROM and error log gone Change-Id: I0195fe2d8e81ea0149255524cfc047540159281b --- tracking_denials/bug_map | 1 - vendor/hal_radioext_default.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 vendor/hal_radioext_default.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0a70c41..6602977 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ crash_dump vendor_slog_file dir b/238837168 -hal_radioext_default hal_bluetooth_default binder b/234311798 init-insmod-sh init-insmod-sh capability b/234311675 kernel vendor_charger_debugfs dir b/239887174 kernel vendor_regmap_debugfs dir b/238143398 diff --git a/vendor/hal_radioext_default.te b/vendor/hal_radioext_default.te new file mode 100644 index 0000000..1620f2b --- /dev/null +++ b/vendor/hal_radioext_default.te @@ -0,0 +1 @@ +binder_call(hal_radioext_default, hal_bluetooth_default) -- cgit v1.2.3 From e465f1a8563e2710d41395429ec7c0e8614f0f16 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Thu, 25 Aug 2022 10:04:19 +0800 Subject: Add sepolicy for wifi_sniffer and wifi_perf_diag avc: denied { search } for name="wifi" dev="dm-38" ino=329 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir avc: denied { setuid } for capability=7 scontext=u:r:wifi_sniffer:s0 tcontext=u:r:wifi_sniffer:s0 tclass=capability avc: denied { setgid } for capability=6 scontext=u:r:wifi_sniffer:s0 tcontext=u:r:wifi_sniffer:s0 tclass=capability avc: denied { search } for comm="wifi_perf_diag" name="wifi" dev="dm-38" ino=329 scontext=u:r:wifi_perf_diag:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir Bug: 243727673 Test: PixelLogger works normally Change-Id: Idd0bb1ffeb198eea855b717a745fd93fecfe2251 --- vendor/wifi_perf_diag.te | 3 +++ vendor/wifi_sniffer.te | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 vendor/wifi_perf_diag.te create mode 100644 vendor/wifi_sniffer.te diff --git a/vendor/wifi_perf_diag.te b/vendor/wifi_perf_diag.te new file mode 100644 index 0000000..b49c0da --- /dev/null +++ b/vendor/wifi_perf_diag.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow wifi_perf_diag vendor_wifi_vendor_data_file:dir rw_dir_perms; +') diff --git a/vendor/wifi_sniffer.te b/vendor/wifi_sniffer.te new file mode 100644 index 0000000..c1e5cfa --- /dev/null +++ b/vendor/wifi_sniffer.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow wifi_sniffer self:capability { setuid setgid }; + allow wifi_sniffer vendor_wifi_vendor_data_file:dir rw_dir_perms; +') -- cgit v1.2.3 From ea80cb501622f35602e8b5f3fa041c736864de9f Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Thu, 25 Aug 2022 16:56:44 +0800 Subject: Add sepolicy for tcpdump_logger avc: denied { search } for name="wifi" dev="dm-44" ino=329 scontext=u:r:tcpdump_logger:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir Bug: 243764714 Test: PixelLogger works normally Change-Id: I4ee93dbe10bae08e01053656a8429c57bb3651c8 --- vendor/tcpdump_logger.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 vendor/tcpdump_logger.te diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te new file mode 100644 index 0000000..9f00bb7 --- /dev/null +++ b/vendor/tcpdump_logger.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow tcpdump_logger vendor_wifi_vendor_data_file:dir rw_dir_perms; +') -- cgit v1.2.3 From b2c724f0edfa43dcd6f9521e0546c2f79dc9f02b Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Fri, 14 Oct 2022 14:24:09 +0800 Subject: Add sepolicy rules for hal_wifi_default In PDK build, it uses default wifi hal instead wifi_ext hal. Need to add rules for hal_wifi_default as well as we added for hal_wifi_ext Bug: 253544307 Test: Wifi can be enabled in PDK builds Change-Id: I57ad330c2467ae99b9c5190fbdc2f02e998b2fc1 --- vendor/hal_wifi_default.te | 19 +++++++++++++++++++ vendor/lowi_server.te | 1 + vendor/vendor_location.te | 1 + 3 files changed, 21 insertions(+) create mode 100644 vendor/hal_wifi_default.te diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te new file mode 100644 index 0000000..418aba5 --- /dev/null +++ b/vendor/hal_wifi_default.te @@ -0,0 +1,19 @@ +allow hal_wifi_default vendor_wlan_device:chr_file w_file_perms; +allow hal_wifi_default vendor_wifi_vendor_data_file:dir rw_dir_perms; + +# write to files owned by location daemon +allow hal_wifi_default vendor_location_socket:dir rw_dir_perms; +allow hal_wifi_default vendor_location_socket:{sock_file lnk_file} create_file_perms; +allow hal_wifi_default vendor_location:unix_dgram_socket sendto; +allow hal_wifi_default lowi_server:unix_dgram_socket sendto; + +# Connect to vendor_location via vendor_location socket. +unix_socket_connect(hal_wifi, vendor_location, vendor_location) +allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms; +allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms; + +# allow hal_wifi to write into /proc/debugdriver/driverdump +r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg); + +# Write wlan driver/fw version into property +set_prop(hal_wifi_default, vendor_wifi_version) diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te index e107cf2..21dfb81 100644 --- a/vendor/lowi_server.te +++ b/vendor/lowi_server.te @@ -28,6 +28,7 @@ allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto; allow lowi_server vendor_wifihal_socket:dir rw_dir_perms; allow lowi_server vendor_wifihal_socket:sock_file create_file_perms; allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto; +unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_default); unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext); # /dev/socket/vendor_location diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te index 05f55a6..b41c6a8 100644 --- a/vendor/vendor_location.te +++ b/vendor/vendor_location.te @@ -16,4 +16,5 @@ allow vendor_location vendor_location_sysfs:file create_file_perms; # /dev/socket/location/mq/* allow vendor_location lowi_server:unix_dgram_socket {sendto read write}; +allow vendor_location hal_wifi_default:unix_dgram_socket {sendto read write}; allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write}; -- cgit v1.2.3 From cf6ebcdd6f63f2c2e1fd631b4744efa327595ff7 Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Fri, 28 Oct 2022 12:35:02 +0800 Subject: Fix avc denied for init-insmod-sh qrtr.ko doesn't request net_admin permission now 05-30 05:12:58.524 492 492 I auditd : type=1400 audit(0.0:4): avc: denied { net_admin } for comm="modprobe" capability=12 scontext=u:r:init-insmod-sh:s0 tcontext=u:r:init-insmod-sh:s0 tclass=capability permissive=0 Bug: 234311675 Test: verified with the forrest ROM and error log gone Change-Id: I72fb5441b977b6ba67d19416049a2776c3aebd12 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6602977..cc9e88c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ crash_dump vendor_slog_file dir b/238837168 -init-insmod-sh init-insmod-sh capability b/234311675 kernel vendor_charger_debugfs dir b/239887174 kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From b5eec482fddc6f16ce368ad868ab87d83f30439d Mon Sep 17 00:00:00 2001 From: Chris Paulo Date: Fri, 16 Sep 2022 23:54:10 +0000 Subject: device-sepolicy: Add sepolicy for vibrator hal Added sepolicy for vibrator hal specific to device uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=vibrator.adaptive_haptics.enabled pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1' avc: denied { open } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 avc: denied { getattr } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 avc: denied { map } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 avc: denied { write } for comm="android.hardwar" name="chre" dev="tmpfs" ino=1094 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1 avc: denied { connectto } for comm="android.hardwar" path="/dev/socket/chre" scontext=u:r:hal_vibrator_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 avc: denied { open } for comm="binder:8084_3" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 app=com.google.android.gms avc: denied { getattr } for comm="binder:8084_3" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 app=com.google.android.gms Bug: 198239103 Test: Verified functionality Signed-off-by: Chris Paulo Change-Id: Ib118b553eab1db6f9fadaebeae0d57eb329294e3 --- vendor/file_contexts | 3 +++ vendor/hal_vibrator_default.te | 3 +++ vendor/property_contexts | 2 ++ vendor/vendor_init.te | 4 ++++ 4 files changed, 12 insertions(+) create mode 100644 vendor/hal_vibrator_default.te create mode 100644 vendor/property_contexts diff --git a/vendor/file_contexts b/vendor/file_contexts index d692577..1b1cd08 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -15,3 +15,6 @@ /dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0 /vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0 /vendor/bin/lowi-server u:object_r:lowi_server_exec:s0 + +# Haptics +/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx u:object_r:hal_vibrator_default_exec:s0 \ No newline at end of file diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te new file mode 100644 index 0000000..b5c7202 --- /dev/null +++ b/vendor/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# Allow Vibrator HAL to communicate with daemon via socket +allow hal_vibrator_default chre:unix_stream_socket connectto; +allow hal_vibrator_default chre_socket:sock_file write; \ No newline at end of file diff --git a/vendor/property_contexts b/vendor/property_contexts new file mode 100644 index 0000000..75cbb36 --- /dev/null +++ b/vendor/property_contexts @@ -0,0 +1,2 @@ +# Haptics +persist.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 6d9b469..440c30c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1 +1,5 @@ +# Camera set_prop(vendor_init, vendor_camera_prop) + +# Haptics +get_prop(vendor_init, adaptive_haptics_prop) -- cgit v1.2.3 From 5b9f54e76dd35225c2ea1cf9052667f431fa460b Mon Sep 17 00:00:00 2001 From: Vic Huang Date: Fri, 2 Dec 2022 11:48:18 +0000 Subject: No avc denied in SELinuxUncheckedDenialBootTest DeviceBootTest.DeviceBootTest.SELinuxUncheckedDenialBootTest avc: denied { call } for comm="oid.grilservice" scontext=u:r:grilservice_app:s0:c227,c256,c512,c768 tcontext=u:r:hal_bluetooth_default:s0 tclass=binder permissive=0 app=com.google.android.grilservice Bug: 259198345 Change-Id: Ie3800e3197f04b83ba8789c82518cbb721e1fe37 --- tracking_denials/grilservice_app.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 tracking_denials/grilservice_app.te diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te new file mode 100644 index 0000000..cf98a89 --- /dev/null +++ b/tracking_denials/grilservice_app.te @@ -0,0 +1 @@ +dontaudit grilservice_app hal_bluetooth_default:binder call; -- cgit v1.2.3 From c70f56e2dfe6f45613aba527bc53925929ba45d2 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Fri, 16 Dec 2022 05:52:28 +0000 Subject: WLC: Add device specific sepolicy for wireless_charger Bug: 237600973 Change-Id: I9d219c3abf02266cc8200c70840a65aedb17ee7b Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 ++ vendor/system_app.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/platform_app.te create mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te new file mode 100644 index 0000000..6ac0514 --- /dev/null +++ b/vendor/platform_app.te @@ -0,0 +1,2 @@ +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te new file mode 100644 index 0000000..ca56668 --- /dev/null +++ b/vendor/system_app.te @@ -0,0 +1,2 @@ +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) -- cgit v1.2.3 From e5a1cde5d486cbbd8988af8f5bc151a527de114c Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Tue, 10 Jan 2023 06:28:45 -0800 Subject: Lynx: Use common sepolicy for bt_device Bug: 205758693 Test: build Ignore-AOSP-First: Some devices in internal define bt_device Change-Id: Ic1b7469d64c79285d9d7993befbe173c9bca34aa --- bluetooth/device.te | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bluetooth/device.te diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; -- cgit v1.2.3 From 966927efa328db7b9c26e6a8dc42272299a1577b Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Tue, 10 Jan 2023 06:28:45 -0800 Subject: Lynx: Use common sepolicy for bt_device Bug: 205758693 Test: build Ignore-AOSP-First: Some devices in internal define bt_device Change-Id: Ic1b7469d64c79285d9d7993befbe173c9bca34aa (cherry picked from commit e5a1cde5d486cbbd8988af8f5bc151a527de114c) Merged-In: Ic1b7469d64c79285d9d7993befbe173c9bca34aa --- bluetooth/device.te | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bluetooth/device.te diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; -- cgit v1.2.3 From fa9c88aef83d59b8f0eca2c0cc1142c5a4fa44d8 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Fri, 6 Jan 2023 19:29:58 +0000 Subject: WLC: Cleanup the sysfs_wlc policies Bug: 263830018 Change-Id: I6b31c6127e01b946c51200683b511853f2d304b4 Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 -- vendor/system_app.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 vendor/platform_app.te delete mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te deleted file mode 100644 index 6ac0514..0000000 --- a/vendor/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow platform_app hal_wireless_charger_service:service_manager find; -binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te deleted file mode 100644 index ca56668..0000000 --- a/vendor/system_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow system_app hal_wireless_charger_service:service_manager find; -binder_call(system_app, hal_wireless_charger) -- cgit v1.2.3 From 53746d95466a594b3e3edb5eb1adc448b968253e Mon Sep 17 00:00:00 2001 From: Hsiu-Chang Chen Date: Mon, 13 Feb 2023 17:24:16 +0800 Subject: wlan: add cnss-daemon and related libraries cnss-daemon is necessary for CHRE function Bug: 264524963 Test: Regression Test Change-Id: Ic7b63617e30a9e6427b0ac280bf4763f9cc19f6e --- vendor/cnss-daemon.te | 20 ++++++++++++++++++++ vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/genfs_contexts | 1 + 4 files changed, 23 insertions(+) create mode 100644 vendor/cnss-daemon.te diff --git a/vendor/cnss-daemon.te b/vendor/cnss-daemon.te new file mode 100644 index 0000000..e6ea641 --- /dev/null +++ b/vendor/cnss-daemon.te @@ -0,0 +1,20 @@ +# cnss-daemon service +type cnss-daemon, domain; +type cnss-daemon_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(cnss-daemon) + +net_domain(cnss-daemon) + +allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl; +allow cnss-daemon self:qipcrtr_socket create_socket_perms_no_ioctl; + +# /data/vendor/wifi/ +allow cnss-daemon vendor_wifi_vendor_data_file:dir create_dir_perms; +allow cnss-daemon vendor_wifi_vendor_data_file:file create_file_perms; + +# /proc/sys/net/ipv4/tcp_adv_win_scal +allow cnss-daemon proc_net:file rw_file_perms; + +# /sys/class/remoteproc +allow cnss-daemon sysfs_cnss_daemon:dir r_dir_perms; +allow cnss-daemon sysfs_cnss_daemon:file r_file_perms; diff --git a/vendor/file.te b/vendor/file.te index b70b548..7f9aa22 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -4,3 +4,4 @@ type vendor_wifi_vendor_data_file, file_type, data_file_type; type vendor_wifihal_socket, file_type; type vendor_location_sysfs, fs_type, sysfs_type; type vendor_proc_wifi_dbg, fs_type, proc_type; +type sysfs_cnss_daemon, fs_type, sysfs_type; \ No newline at end of file diff --git a/vendor/file_contexts b/vendor/file_contexts index 1b1cd08..c224e48 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -15,6 +15,7 @@ /dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0 /vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0 /vendor/bin/lowi-server u:object_r:lowi_server_exec:s0 +/vendor/bin/cnss-daemon u:object_r:cnss-daemon_exec:s0 # Haptics /vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx u:object_r:hal_vibrator_default_exec:s0 \ No newline at end of file diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8f929cb..0ee732e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -5,6 +5,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net u:object_r:sysfs_net:s0 +genfscon sysfs /class/remoteproc u:object_r:sysfs_cnss_daemon:s0 # BMS genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 -- cgit v1.2.3 From 02be088bc56db96b395b177935ebed3509fbb650 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Thu, 16 Feb 2023 18:44:24 +0800 Subject: Revert "device-sepolicy: Add sepolicy for vibrator hal" This reverts commit b5eec482fddc6f16ce368ad868ab87d83f30439d. Bug: 198239103 Test: build pass on git_tm-qpr-dev-plus-aosp Change-Id: Iee9305e6ba5abbc8df9b353ed5bbfeaa64f0b43b --- vendor/file_contexts | 3 --- vendor/hal_vibrator_default.te | 3 --- vendor/property_contexts | 2 -- vendor/vendor_init.te | 3 --- 4 files changed, 11 deletions(-) delete mode 100644 vendor/hal_vibrator_default.te delete mode 100644 vendor/property_contexts diff --git a/vendor/file_contexts b/vendor/file_contexts index c224e48..bc7e2fc 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -16,6 +16,3 @@ /vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0 /vendor/bin/lowi-server u:object_r:lowi_server_exec:s0 /vendor/bin/cnss-daemon u:object_r:cnss-daemon_exec:s0 - -# Haptics -/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx u:object_r:hal_vibrator_default_exec:s0 \ No newline at end of file diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te deleted file mode 100644 index b5c7202..0000000 --- a/vendor/hal_vibrator_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow Vibrator HAL to communicate with daemon via socket -allow hal_vibrator_default chre:unix_stream_socket connectto; -allow hal_vibrator_default chre_socket:sock_file write; \ No newline at end of file diff --git a/vendor/property_contexts b/vendor/property_contexts deleted file mode 100644 index 75cbb36..0000000 --- a/vendor/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Haptics -persist.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 440c30c..cc2e3ad 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,5 +1,2 @@ # Camera set_prop(vendor_init, vendor_camera_prop) - -# Haptics -get_prop(vendor_init, adaptive_haptics_prop) -- cgit v1.2.3 From f446026014d9fe35f3b0f9629824b6814099a10a Mon Sep 17 00:00:00 2001 From: Yen-Chao Chen Date: Fri, 24 Feb 2023 15:05:52 +0800 Subject: Suppress avc denials of sysfs Bug: 267839070 Test: adb bugreport Change-Id: I8d4aed4aba15efa0cc38574565e4a66bc3049321 Signed-off-by: Yen-Chao Chen --- vendor/hal_dumpstate_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/hal_dumpstate_default.te diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te new file mode 100644 index 0000000..d513b88 --- /dev/null +++ b/vendor/hal_dumpstate_default.te @@ -0,0 +1,2 @@ +# b/267839070 +dontaudit hal_dumpstate_default sysfs:dir { read }; -- cgit v1.2.3 From 90d58d25533b2aef11c4767641e9a868f2d31788 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:11:28 +0800 Subject: Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275002086 Test: scanBugreport Bug: 239887174 Test: scanAvcDeniedLogRightAfterReboot Bug: 239887174 Change-Id: I9a0a1b3ef0642700a4555258c9e8aff7ec82e084 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cc9e88c..a364f18 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,5 @@ crash_dump vendor_slog_file dir b/238837168 +hal_camera_default boot_status_prop file b/275002086 +hal_camera_default edgetpu_app_service service_manager b/275002086 kernel vendor_charger_debugfs dir b/239887174 kernel vendor_regmap_debugfs dir b/238143398 -- cgit v1.2.3 From c1c6e069f6af9a202577ee4fd62909fc7128d7c7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 7 Apr 2023 15:08:57 +0800 Subject: Update error on ROM 9892479 Bug: 277155327 Bug: 277300226 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I2690bcd7b3ae0d869f39851d5fb692378cbb6e9a --- tracking_denials/dumpstate.te | 2 ++ tracking_denials/hal_vibrator_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 0000000..13af0d5 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,2 @@ +# b/277155327 +dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 0000000..ece806d --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,2 @@ +# b/277300226 +dontaudit hal_vibrator_default default_android_service:service_manager { find }; -- cgit v1.2.3